{ "id": "c50fd914-0266-4c6d-b2f8-9f4019181037", "created_at": "2026-04-06T00:14:06.099158Z", "updated_at": "2026-04-10T03:28:34.729389Z", "deleted_at": null, "sha1_hash": "c3e7712e5bf40795213a87afab2d95df4d77d114", "title": "Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75592, "plain_text": "Zero-day in Windows Kernel Transaction Manager (CVE-2018-\r\n8611)\r\nBy Boris Larin\r\nPublished: 2018-12-12 · Archived: 2026-04-02 10:36:50 UTC\r\nExecutive summary\r\nIn October 2018, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in\r\nthe Microsoft Windows operating system. Further analysis led us to uncover a zero-day vulnerability in\r\nntoskrnl.exe. We reported it to Microsoft on October 29, 2018. The company confirmed the vulnerability and\r\nassigned it CVE-2018-8611. Microsoft just released a patch, part of its December update, crediting Kaspersky Lab\r\nresearchers Boris Larin (Oct0xor) and Igor Soumenkov (2igosha) with the discovery.\r\nThis is the third consecutive exploited Local Privilege Escalation vulnerability in Windows we discovered this\r\nautumn using our technologies. Unlike the previously reported vulnerabilities in win32k.sys (CVE-2018-8589 and\r\nCVE-2018-8453), CVE-2018-8611 is an especially dangerous threat – a vulnerability in the Kernel Transaction\r\nManager driver. It can also be used to escape the sandbox in modern web browsers, including Chrome and Edge,\r\nsince syscall filtering mitigations do not apply to ntoskrnl.exe system calls.\r\nJust like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not\r\nlimited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a\r\nnew APT we discovered only recently. In addition to this zero-day and CHAINSHOT, SandCat also uses the\r\nFinFisher / FinSpy framework.\r\nKaspersky Lab products detected this exploit proactively through the following technologies:\r\n1. 1 Behavioral detection engine and Automatic Exploit Prevention for endpoint products\r\n2. 2 Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)\r\nKaspersky Lab verdicts for the artifacts used in this and related attacks are:\r\nHEUR:Exploit.Win32.Generic\r\nHEUR:Trojan.Win32.Generic\r\nPDM:Exploit.Win32.Generic\r\nhttps://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/\r\nPage 1 of 3\n\nBrief details – CVE-2018-8611 vulnerability\r\nCVE-2018-8611 is a race condition that is present in the Kernel Transaction Manager due to improper processing\r\nof transacted file operations in kernel mode.\r\nThis vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering\r\nthat is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the\r\nGoogle Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can\r\nlead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.\r\nWe have found multiple builds of exploit for this vulnerability. The latest build includes changes to reflect the\r\nlatest versions of the Windows OS.\r\nA check for the latest build at the time of discovery: Windows 10 Redstone 4 Build 17133\r\nSimilarly to CHAINSHOT, this exploit heavily relies on the use of C++ exception handling mechanisms with\r\ncustom error codes.\r\nTo abuse this vulnerability exploit first creates a named pipe and opens it for read and write. Then it creates a pair\r\nof new transaction manager objects, resource manager objects, transaction objects and creates a big number of\r\nenlistment objects for what we will call “Transaction #2”. Enlistment is a special object that is used for association\r\nbetween a transaction and a resource manager. When the transaction state changes associated resource manager is\r\nnotified by the KTM. After that it creates one more enlistment object only now it does so for “Transaction #1” and\r\ncommits all the changes made during this transaction.\r\nAfter all the initial preparations have been made exploit proceeds to the second part of vulnerability trigger. It\r\ncreates multiple threads and binds them to a single CPU core. One of created threads calls\r\nNtQueryInformationResourceManager in a loop, while second thread tries to execute\r\nNtRecoverResourceManager once. But the vulnerability itself is triggered in the third thread. This thread uses a\r\nhttps://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/\r\nPage 2 of 3\n\ntrick of execution NtQueryInformationThread to obtain information on the latest executed syscall for the second\r\nthread. Successful execution of NtRecoverResourceManager will mean that race condition has occurred and\r\nfurther execution of WriteFile on previously created named pipe will lead to memory corruption.\r\nProof of concept: execution of WriteFile with buffer set to 0x41\r\nAs always, we provided Microsoft with a proof of concept for this vulnerability, along with source code. And it\r\nwas later shared through Microsoft Active Protections Program (MAPP).\r\nMore information about SandCat, FruityArmor and CVE-2018-8611 is available to customers of Kaspersky\r\nIntelligence Reports. Contact: intelreports@kaspersky.com\r\nSource: https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/\r\nhttps://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/" ], "report_names": [ "89253" ], "threat_actors": [ { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "77aedfa3-e52b-4168-8269-55ccec0946f7", "created_at": "2023-01-06T13:46:38.453791Z", "updated_at": "2026-04-10T02:00:02.981559Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038" ], "source_name": "MISPGALAXY:Stealth Falcon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "80cf66b8-27d2-4e87-b0d1-5bacacd9bb3d", "created_at": "2023-01-06T13:46:38.931567Z", "updated_at": "2026-04-10T02:00:03.149736Z", "deleted_at": null, "main_name": "SandCat", "aliases": [], "source_name": "MISPGALAXY:SandCat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67ac502c-8cf8-46cb-98e8-c249e0f0298d", "created_at": "2022-10-25T16:07:24.149987Z", "updated_at": "2026-04-10T02:00:04.882099Z", "deleted_at": null, "main_name": "SandCat", "aliases": [], "source_name": "ETDA:SandCat", "tools": [ "CHAINSHOT", "FinFisher", "FinFisher RAT", "FinSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434446, "ts_updated_at": 1775791714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c3e7712e5bf40795213a87afab2d95df4d77d114.pdf", "text": "https://archive.orkl.eu/c3e7712e5bf40795213a87afab2d95df4d77d114.txt", "img": "https://archive.orkl.eu/c3e7712e5bf40795213a87afab2d95df4d77d114.jpg" } }